Re: How to debug a TLSv1.3 protocol problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Claus,

On 18/05/20 20:59, Claus Assmann wrote:
On Mon, May 18, 2020, Alexander Gryanko wrote:

[thanks for the hints, I will try that ASAP]

But first of all, check your cert type. Looks like you are using non-RSA
cert which is not supported by S8.
As I wrote: it works fine if I don't use TLSv1.3 or if I use openssl
s_client with TLSv1.3 (it is an RSA cert and I also tested against
another S8 server which uses a Let's Encrypt cert).
FWIW:  adding TLS 1.3 support to my EAP-TLS code got me stumped for a while as well. I eventually added up the following snippet:

    /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+.      * During the initial handshake the server signals to the client early on
     * that the handshake is finished, even before the client has sent its
     * credentials to the server. The actual connection (and moment that the      * client sends its credentials) only starts after the arrival of the first
     * session ticket. The 'ssl_new_session_cb' catches this ticket.
     */
    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
    SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb);



with

int ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
{
    dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");

    /* always return success */
    return 1;
}


This callback is necessary as otherwise the client thinks the session handshake is done too soon (and in my case, it does not bother to send any client-side certificate info to the server).

Perhaps you are seeing something similar? If not, then sorry for the noise.

HTH,

JJK / Jan Just Keijser




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux